CVE-2022-39268

orchest vulnerable to cross-site request forgery that allows control of a user instance

Description

### Impact In a CSRF attack, an innocent end user is tricked by an attacker into submitting a web request that they did not intend. This may cause actions to be performed on the website that can include inadvertent client or server data leakage, change of session state, or manipulation of an end user's account. ### Patch Upgrade to v2022.09.10 to patch this vulnerability. ### Workarounds Rebuild and redeploy the Orchest `auth-server` with this commit: https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d ### References https://en.wikipedia.org/wiki/Cross-site_request_forgery https://cwe.mitre.org/data/definitions/352.html ### For more information If you have any questions or comments about this advisory: * Open an issue in https://github.com/orchest/orchest * Email us at rick@orchest.io

Category

8.1
CVSS
Severity: High
CVSS 3.1 •
EPSS 0.08%
Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com Third-Party Advisory github.com
Affected: orchest orchest
Published at:
Updated at:

References

Link Tags
https://github.com/orchest/orchest/security/advisories/GHSA-q44f-8jpw-qv4j third party advisory
https://github.com/orchest/orchest/pull/1324 third party advisory patch
https://github.com/orchest/orchest/commit/c2587a963cca742c4a2503bce4cfb4161bf64c2d third party advisory patch
https://github.com/orchest/orchest/releases/tag/v2022.09.10 third party advisory release notes

Frequently Asked Questions

What is the severity of CVE-2022-39268?
CVE-2022-39268 has been scored as a high severity vulnerability.
How to fix CVE-2022-39268?
To fix CVE-2022-39268, make sure you are using an up-to-date version of the affected component(s) by checking the vendor release notes. As for now, there are no other specific guidelines available.
Is CVE-2022-39268 being actively exploited in the wild?
As for now, there are no information to confirm that CVE-2022-39268 is being actively exploited. According to its EPSS score, there is a ~0% probability that this vulnerability will be exploited by malicious actors in the next 30 days.
What software or system is affected by CVE-2022-39268?
CVE-2022-39268 affects orchest orchest.
This platform uses data from the NIST NVD, MITRE CVE, MITRE CWE, First.org and CISA KEV but is not endorsed or certified by these entities. CVE is a registred trademark of the MITRE Corporation and the authoritative source of CVE content is MITRE's CVE web site. CWE is a registred trademark of the MITRE Corporation and the authoritative source of CWE content is MITRE's CWE web site.
© 2025 Under My Watch. All Rights Reserved.